Ransomware Resiliency and a Modern Air Gap Solution

Protection ‎06-08-2021
BlogHeroImage

There is a scene from a military procedural show that I often reference with my IT friends. The computers in a high-tech base of operations come under attack in the show, and the techy person on the team tries to counter this attack in real-time. Unfortunately, the attack is “moving too fast,” so her buddy helps out by typing on the same keyboard to catch up, which of course, does not help. In the end, their wise boss unplugs the systems to stop the attack. While the entire situation is comical in several ways, the conclusion is an interesting take on the concept of an air gap. While we don’t normally unplug a system's power to air gap them, we often disconnect them from networks to effectively achieve the same goal. The idea being if you have no means in, no harm can happen.

Generally speaking, air gaps will work to keep your data safe from threats like ransomware, especially if you have clean data and you physically remove it, leaving it on a medium (like tape) or an air-gapped system (no network connectivity). In a world where little or no activity happens overnight or on weekends, it is possible to coordinate dumps of data to air-gapped systems and restore operations should the worst happen from that data. In practice today, there is no downtime for most organizations; whether it's finance, governments, or healthcare, the 24/7 workday for IT systems is here to stay. So how do we gain the peace of mind provided by air gapping while keeping pace with the constant stream of new data that needs to remain protected?

Before we get to one possible solution, let's look at the qualities that air gaps provide that help protect data. First, they remove the data from production; if production gets taken down by ransomware, or some other event, we have a copy of the data elsewhere. Second, the data remains immutable (can’t be changed) and indelible (can't be deleted). This is achieved because the data is separate from any system that could affect such changes. Lastly, the data is inert. Chemically inert means a chemical that is stable and unreactive under specified conditions. A classic example from grade school chemistry is how Neon is unreactive until an electric current is added. Similarly, when we speak of inertness when it comes to data, we mean that it isn’t active and can’t further infect systems because it is isolated from its source and stored apart from the environment it was meant to function in. Without that environment, it behaves much like neon without electric current. 

So, we can sum up the key valuable traits: having an offline copy, keeping data immutable and indelible, and rendering threats inert while stored. Enter NetBackup Auto Image Replication (AIR). AIR is a feature of NetBackup solving for both the challenge of low or no downtime in production, which could allow for standard air gapping, and the key traits we have identified that we value from an air gap solution. 

OFFLINE COPY

NetBackup AIR is a feature available as part of an automated storage lifecycle policy. That is a lot of jargon for one sentence but follow me for just a second. As part of the automatic parameters set up ahead of time, AIR can take your backup data and replicate it to a separate NetBackup server. This replication happens in an optimized manner sending over unique data, which means anything that is the same as previously written blocks isn’t sent, saving time and network bandwidth. Additionally, this activity can happen either 24/7 or during set windows providing flexibility in optimizing this activity. Lastly, you can configure the network in several ways, including making sure traffic is only possible in one direction, is encrypted in transit, and leveraging a narrow band of specific ports helping to make a more oblique vector for any possible attack during the replication process. 

IMMUTABILITY AND INDELIBILITY

NetBackup AIR can leverage some layers of Immutability and Indelibility. The most visible example of this would be storing the replicated data in NetBackup immutable storage; indeed, here is a great blog on its specifics and how it works. A less visible example is the nature of NetBackup’s deduplication known as MSDP. When new unique data is sent over to an MSDP storage pool, it is given a hash and stored. If the same data block comes in again, it doesn’t get written, but instead, a pointer to the unique block is created. That unique block can not be deleted or changed logically until the last backup image that needs it has expired. This gives blocks resilience within the system and insulated data from changes. Any changes, such as ransomware encrypting data or new ransomware extensions, would be written to their own unique and isolated hash. 

INERT

This brings us to the last key trait that air gaps provide, and NetBackup AIR can also deliver: Inertness. Specifically, the data stored can’t infect other systems or the other data in the shared storage. Data stored with NetBackup AIR achieves inertness in two ways. First is the nature of a NetBackup image itself; a NetBackup image is not simply a copy of a server or data on storage, NetBackup takes the time to encapsulate any data it ingests into a tar file. As data ingested is no longer stored in its native format, it is incapable of functioning as it otherwise would while stored in this state. Only when properly restored could it return to a functional state. The second layer of inertness comes once again from the nature of MSDP. One concern that could arise when writing new images over old infected data could replace uninfected data. Thanks to unique data being stored as segregated objects, any infected images stored become new blocks, and thus the uninfected blocks also remain, separate and uninfected within the system. 

AIR GAP
 
The collective capabilities of AIR to keep data separate, immutable, and inert while at the same time keeping pace with constant operations facilitate a modern approach to providing the value of an air gap without sacrificing performance. When incorporated as part of a broader approach to ransomware resiliency, AIR can help organizations recover quickly from clean data when ransomware strikes.   
 
To learn more about security features and cybersecurity strategy tips? Read our Ransomware Resiliency White Paper.